Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Thu, Jun 11, 2009 at 4:35 AM, Jonathan Rees<jar@creativecommons.org> wrote:
> I think this may be a foolish question, but is the value of Origin:
> limited to sites? Couldn't it be an individual web page (URI)? Or a
> wildcard? Is there some principled reason for such a limitation (if it
> exists)?

If we changed the value of the Origin header to be an URI instead of
an origin, then it would be very similar to the Referer header.
Limiting the Origin header to an origin improves the privacy of the
Referer header.  Also, the additional information (path, query, etc)
is not useful for making security decisions because the URIs can just
script each other on the client anyway.

Adam

Received on Thursday, 11 June 2009 17:25:09 UTC